Tapping into the Potential of the Network Tap

André Vink By: André Vink November 19, 2018

Everyone’s talking about Network Visibility and how essential it is for network stability and security. However, to really understand its importance, you have to examine each component of network visibility and how it contributes to the overall picture. It’s imperative to consider how each network visibility component interfaces with and complements other components and how critical an effective visibility layer is in supporting robust network security.

In today’s post, we’ll cover network taps, their features, and functions, and typical network taps use cases. Let’s get started.

Network Tap: Overview and Its Role is in the Network Visibility Layer

A network tap is analogous to a plumbing component used to ‘tap into’ a water pipe and which when enabled (the tap is opened), discharges a liquid flow. The network tap provides a similar function for a networking scenario (the term “tap” is an acronym for Traffic Access Point).

The tap, like its plumbing equivalent, is directly attached to the network cabling (i.e. the ‘pipeline’), and its connection is seamless and non-intrusive. Its function is to split or copy network traffic data packets in order to then send the copies to other network devices for monitoring, security or for network performance and management.

This critical capability enables full network traffic visibility into each data packet, without placing extra strain on the network resources or processing capabilities of the switches – making taps an essential part of the visibility layer.

In a well-designed network topology, the taps are placed at key traffic points and are ‘ready for duty’ as required. Once the taps are installed, monitoring and analysis devices are easily attached and detached (for example, for maintenance) without affecting traffic flow or business continuity.

Pricing for taps is relatively low making the capability a good CapEx choice. Taps typically require minimal configuration or often no programming at all, thus also providing OpEx benefits. The lack of any overhead imposed on network designers highlights network taps’ ROI. Overall, the cost-effectiveness of the network tap is an important aspect of its value.

Selecting the Type of Tap for Optimum Gain

While there are various types of taps, taps deployed in enterprise networks fall into the following two categories: Passive and Active.

A passive tap, for example, works only over fiber cables, since it is an optical tool that splits the light (i.e. the data traffic) passing through the fiber-optic cable. Splitting the light has no effect on the data traffic, though should be taken in consideration in network design because its effect on the optical budget loss. By splitting the traffic one stream (network) continues on – undisturbed – through the network, while the second (monitor) stream of data packets gets seamlessly ‘routed’ to an endpoint typically supporting a network monitoring, inspection, or analysis device. This type of tap does not require a power source and will not work in a copper cabling environment.

An active tap is a feature of an electronic component which lets the data packets flow through it. As with passive taps, active taps ‘duplicates’ the flow of data and then forwards the replicated stream to an endpoint. Since it is not based specifically on optics, it can work in either copper or fiber-cabling environments, but it does need a continuous power source in order to function. The active tap switches to failsafe “bypass mode” if it is affected by a power outage, so the network flow is never affected or impaired. In this way, the network connection is preserved, and traffic uptime is guaranteed. For availability purposes of the taped traffic going to the monitoring device, active taps may support a backup mechanism so that even a power failure does not affect the endpoint device function.

In addition to standard network taps, there are other breeds of tap types that include:

  • BiDi (bidirectional) taps
  • Link aggregation taps
  • Port aggregation taps
  • Regeneration taps

For more about the different tap types, see our blog How to Choose a Network Tap".

Why do you need a Network Tap?

The enterprise’s network is a business-critical infrastructure that is in continuous use and constant flux. As long as everything is ticking away and there are no problems – great. Unfortunately, most networks lack proper visibility – knowing what is happening at any given moment. This is critical for not only ‘worst-case’ scenarios, but even for daily network activity, when network traffic may reach or exceed ‘overflow’ status as resources become strained or overloaded.

This is where network visibility comes into play, and where the taps begin to “flex their muscle”.

For example, even if everything seems to be working smoothly, what indication(s) would you have that there may be a problem, a looming problem or even a malicious breach in the network? If the network firewall or Intrusion Detection System (IDS) have identified a breach or attempt at one, could you still pinpoint the source?

Your network architect and network administrator know that not all attacks can be prevented. Although they rely heavily on autonomous network security systems to prevent infiltration, they need to have the option to take immediate action in case escalations go above-and-beyond standard network security challenges.

They will also need to pinpoint possible weaknesses in their security infrastructure. The more taps that are distributed in the network, the easier it is to track down problems. Attaching and detaching monitoring and analysis devices at tap access points, as previously mentioned, can take place rapidly on an as-need basis without requiring any special constraints such as added programming or configuration.

Network Tap Aggregation

The devices attached to the taps are typically non-intrusive and operate out-of-band. As such, do not place any extra load on, or use up, network resources such as processing features of the network switches. In fact, many of the attached devices have their own built-in switch-like mechanisms that enable network taps to aggregate data and actively manage the traffic flow.

This empowers the network security devices connected via taps to be able to monitor both sides of full-duplex traffic. Such two-way traffic monitoring enhances the security devices’ ability to react to malicious infiltrations with measures such as “TCP reset” notifications or “ICMP not available”.

In this manner, the network security mechanisms can quickly respond to real-time threats such as malicious infiltrations and breach attempts. They can also send relevant notifications and follow appropriate security protocol.

Two is Better Than One: The Tap and the NPB

If we add an NPB into the network as a “companion” to the network tap, it is possible to greatly reduce your mean-time-to-repair (MTTR) for network security-related events. The NPB will be situated after the tap so that you can carry out appropriate data filtering and distribution as required. Adding an NPB can perform data filtering and deduplication, and will forward data so that the right data is sent to the right tool as you require it. This enhances both data integrity at the tools’ endpoints while also improving time to data acquisition.

And One More Thing…

To conclude, I’d like to mention one more issue that has recently become important to consider. As mentioned earlier, active network taps guarantee full data capture because they always copy the traffic regardless of exterior events. In other words, the taps capture 100% of the traffic data. This is particularly critical due to new regulations that are coming into effect.

This year, in May of 2018, the new European GDPR (General Data Protection Regulation) guidelines came into effect, forcing European enterprises to conform to and ensure complete and consistent data integrity over their networks. Whereas most other traffic capture and/or mirroring mechanisms may possibly drop data packets or lose data due to network integrity (and other) issues – tap technology effectively guarantees that GDPR requirements can be followed to the letter.

Enabling your business to achieve pervasive network visibility is tricky, especially those with complex network architectures. Network taps are a fundamental component in making complete network visibility possible. Don’t settle for second-grade visibility, contact our team of dedicated experts to discuss your own network visibility challenges.

Span vs. Tap